Original: Windows security policy–the system comes with the “software” firewall
Thanked fonlan original post
Growing popularity of the Internet today, Internet security, a growing problem, Trojans and virus ridden network. Most people will choose to install anti-virus software and firewall, however, antivirus software for virus response lag made his flesh is weak, only after the virus has caused damage can be discovered and killing. In this case, the HIPS (active defense system) software is more popular, rely on set a variety of rules to limit the run and spread of virus, Trojan horse, as the HIPS is based on behavior analysis, which makes it unknown virus is still valid, but software compatibility problems than the average of the antivirus software is much serious. There is a people on the network, they do not install any anti-virus software and firewall, free around on the Internet, known as “streaking”. But they are also a number of different types, some computers do not impose any protection, nor any significant information, once the poisoning the reinstall system; and another is based on Windows security mechanisms to protect against virus invasion of the system itself, it is clear that this approach is much reliable.
In fact, most people ignore Windows function of the system itself, that Windows delicate. If set, Windows is a very powerful security protection software. This article is the main character of WindowsXP Pro comes with security policy function. Opening the security policy is very simple, by double-clicking the Control Panel administrative tools local security policy, we speak here of a software restriction policy.
As its name implies, this can limit the operation of the software, how to limit, it depends how your strategies. If you have previously not set security policy, software restriction policies right after the new policy will appear on the lower menu:
Elsewhere we all don’t have to worry about, the other is the place we play by the rules, and direct rule-making here relates to the safety of your computer. Click on other policies, we can see that Microsoft has helped our preset 4 rules (below)
The 4 rules are used to ensure that Windows runs the program you must set up will not be disabled, if you’re sure your rules there is no problem, these four rules to delete it without problems. The next right on the other rules,
The right menu, we used to be “a new path rule”, occasionally with a “new hash rule”, specifically what’s the difference between is reviewed individually below. Now we click on the “new path rule”, the following window appears:
Our main path in the column for the move. Wildcard characters are allowed, in common with “*” and “? “* Represents arbitrary characters,? To represent a character. Allows you to use environment variables, common folder environment variables are:
(XP installed by default on the c drive)
%ALLUSERSPROFILE% represents the C:\Documents and Settings\All Users
%APPDATA% represents the C:\Documents and Settings\ current user name \Application Data
%SYSTEMROOT% and%WINDIR% C:\WINDOWS
%TEMP%%TMP% stated C:\Documents and Settings\ username \Local Settings\Temp
%USERPROFILE% represents the current user is the C:\Documents and Settings\
%ProgramFiles% C:\Program Files
Define rules for when we can use an absolute path, or you can use wildcards or environment variables, or even can be used directly to ban programs that run on the program name. And this involves a matter of priority. Required by Microsoft: absolute path > using a wildcard path > the file name.
I establishment of the rule through an instance of the following:
Example # 1 process phishing Trojans and viruses by means of one of the most, such as virus file named Svchost.exe, and the virus or any other folder under files in the Windows folder (under the real Svchost.exe file in the System32 folder), the virus runs XP by default will only display in the Task Manager processes called Svchost.exe, and XP There are many Svchost.exe process, which would be good to achieve the goals of deceiving users. General antivirus software still had to rely on a single virus, once for a new virus in the same way he was not identified, security is very bad. Local security policy can be very simple permanently immune virus this way, we create two rules:
Svchost.exe is not allowed
Due to the precedence relationship, second use absolute path rule takes precedence over article based on the path to the file name, which means that Svchost.exe is allowed to run under the System32 folder, and any other folder name as Svchost.exe program is not running. Because the Svchost.exe is a system file, the virus cannot replace it. As you can see, these two rules perfectly solved the problem, as long as it is used in the future the same way a virus or Trojan that cannot be run, achieved the anti-virus effect.
Example 2: a lot of virus, Trojan horse to escape the user came for the hidden in obscure places, such as the Recycle Bin, System Volume Information (System Restore folder), the C:\WINDOWS\system32\Drivers folder, the C:\WINDOWS\system folder, and so on, and with hidden attribute so that the user is not easy to find. In fact, these folders under normal conditions there is no executable programs, so we can establish the following rules:
?:\ Recycled\*.* not allowed
?:\ System Volume Information\*.* not allowed
%Windir%\system32\Drivers\*.* not allowed
%Windir%\system\*.* not allowed
By the above 4 rules can be masked under the 4 folders any executable file to run once again perfectly solves this type of virus and Trojan defenses. Rest assured that used the format of *.* and will not be screened off other non-executable programs, such as txt or jpg.
Example 3: a virus that confuse the user with a double extension is not alone. For example, MM.jpg.exe, free QQ member. txt.exe and so on, and icon into the previous extension icon, since most users are XP defaults, hide known extensions, these infected files is very tempting for defense against them was not difficult:
*.Jpg.exe not allowed
*.Txt.exe not allowed
This is the rule of two is very easy to understand, I won’t do more explaining.
Instance four: USB viruses Trojans and viruses now the most widely used forms of communication, general approach is to install anti-virus software or dedicated USB virus prevention tools, system security policies are used to do the immune? Answer is not to do 100% defense, but can reach 90% above, the rules below:
(Assuming your computer’s first letter of the USB drive is g)
G:\*.exe not allowed
G:\*.com not allowed
Is almost all of the use of USB viruses are present in the USB drive’s root directory, applications or com and exe suffix suffix, using the above two rules can prevent them from running. Some USB viruses can hide in the root directory of the USB drive some hidden folder, such as the creation of a folder called System Volume Information or Recycled folder, USB drive under normal conditions there is no system restore folder and the Recycle Bin (removable hard drive sometimes), but this time, it is necessary to rely on instance 2 rules to organize.
Generally have more than one USB interface on the computer, so we should at least immune 2 to 3 USB drive letter, g to h and I above and join other rules can be.
Example # 5 file camouflage is a relatively old technology, but due to his simple and effective features and still widely used. Such as some viruses will own file name changed to expl0rer.exe, do you dare to casually remove it?? But you’ve got to look Oh, and not Explorer.exe, note that “0″ and “o” differences. Similar “l” and “1″ and so on. Or the file named Explorer.com, because the default suffix is not displayed, looks the same, do you know? And XP the default com a higher priority than exe, so if you are running, enter the Explorer after the carriage return is Explorer.com is executed before, that is, the virus program, a terrorist. A virus even be PIF suffix, that is, Explorer.PIF. PIF and like exe, com, as well as executable files, but his extensions even if you have chosen to display in the folder options file he would not show up, with a strong concealment. (But in WinRAR and other third parties may be viewed in a browser) so if you turn on the display suffix suffix found a normal application is still not displayed, you must be careful. Nonsense is not much to say, said rules:
Expl0rer.exe not allowed
Exp1orer.exe not allowed
Explorer.exe does not allow
Expl0rer.exe not allowed
Explorer.com is not allowed
*.PIF is not allowed
More than six rules to solve the problem of disguised Explorer.exe, PIF files are generally less than in the normal computer, so disabled. Others, such as Svchost.exe, rundll32.exe, Spoolsv.exe rules similar to your own writing.
Path rule which is more than 5 categories, following another brief introduction about the new hash rule. The so-called hash rules, of simply extracting characteristic information of a file, such as version, Hash, and then based on this information to judge whether is the same file. :
Due to the principle of recognition of relationships, file hash identification has the advantage that no matter what file name changed to, as long as the same file can be correctly identified. But his advantage was his disadvantage, if you use a hash rule accomplishes this function, then if the WindowsUpdate update the protected system files, file version changes have taken place, the security policy will prevent him from running, resulting in a system error has occurred. In short, easily lead to compatibility problems. So you generally do not use “new hash rule”.
Although caused compatibility problems with system security policy it is highly unlikely, but there were some, then what should we do when you encounter these problems? in fact system has helped us prepare the log function. Figure, if the cause of system security policy prevent a program from running, the system will pop up the following dialog box:
This dialog box has been resolved, we immediately went open in the Control Panel administrative tools Event Viewer, one of the first is the application log, double-click the log, the following dialog box will pop up:
This is C:\Program Files\*.exe bad compatibility of that rule, however, to note is that if you create rules using the environment variable, such as%ProgramFiles%\*.exe format, the log will replace%ProgramFiles% with the actual path to the system variable, usually C:\Program Files, so the display still is if you want a dialog box.
Know where the problem has naturally easier to handle, the corresponding rules deleted by deleting, modifying-modified, this with you. Another provides the rules I do download, download directly double-click to install:
Click here to download